Telstra recently published its Telstra Security report 2019 aimed at helping businesses better understand and respond to cybersecurity threats.
The report discovers that nearly one-third of organisations estimate that breaches occur completely under the radar more than 40% of the time. Also, since the introduction of GDPR, 55% of organizations reported that they have been fined for data security breaches. This all points to a serious challenge. This report breaks down the various elements that combine to result in high potential levels of vulnerability and offers some succinct action points on steps that can made be to bolster security.
IoT sensors are weak-point for hackers
The emergence of IoT is delivering dramatic improvements to business processes and for the good of society. However, the thousands upon thousands of sensors that are the new network end-points give criminal hackers more opportunities to enter unsecure networks and cause havoc or steal money.
To compound the increasing numbers of possible entry-points for bad actors is the fact that simple hardware components have no in-built security whatsoever. The sensors that might make up an IoT solution, such as temperature and moisture sensors in an agricultural setting, are notoriously easy for hackers to compromise. Moreover, once the breach has taken place, it can then be extremely difficult to detect in the first place and mitigate once discovered.
All of the above contributes to what is being named an ‘increased attack surface’ for the cyber criminals to exploit.
In a classic game of cat and mouse, on the side of the bad actors there is a new supply-chain in existence, where lone-wolf hackers and small time petty criminals are discovering vulnerabilities within smaller business – and then selling either viruses or stolen credentials and passing these on to criminal gangs and state-sponsored cybercrime groups. Worrying indeed. Information, tools, stolen data, and comprised ID information are all now available on the dark Web and shared freely amongst hackers, cyber-bandits, and criminal gangs. There is no discrimination and smaller companies are just as likely to become targets and victims of attack, and used as vectors into larger businesses and government.
Corporate-wide policies needed to protect against human error
The fact is that many breaches take place due to human error – either intentionally or unintentionally. Technology is available to prevent and react to cybersecurity breaches. But without a corporate-wide policy and program, that is fully supported by the leadership of the company and across all members of staff, vulnerabilities will result.
Referring back to Telstra’s security report: at least 30% of European respondents reported monthly or weekly brute-force hacking, malicious insider, and employee human error incidents during 2018.
Basic accidental errors are most prevalent overall, with 88% of European respondents reporting experiencing these incidents at least once in the last 12 months, and 26% identified the greatest risk of their organization’s IT security likely to come from an accidental insider.
Thus businesses need the C-suite execs to take part in the security program, and ensure that company-wide training on policies and the required steps for security compliance are all adhered to and frequently reviewed.
How to improve cybersecurity
Companies need to begin adopting a more holistic view to security. In the past – before network and IT virtualisation and cloud platform adoption became massive – the act of placing a firewall between the corporate site and the Internet or private network was good enough. Today the security threat landscape has changed enormously and this means that security must be built-in at multiple points, including within the organisation’s LAN, on mobile devices, perimeter firewalls, and also into cloud and ionternet-hosted systems. Furthermore, if IoT is a part of corporate systems, then efforts must be made to secure the network endpoints (sensors) right at the edge.
The second area to address is that of zero-trust: companies need to start from the assumption that they are being hacked right now, or have already been hacked. Employee log-in activity has to be verified beyond basic username/password, ideally with double- or triple-factor authentication to thoroughly check that users are who they say they are.
Finally, bearing in mind as written above that accidental insider breaches are so common, organizations need to maintain regular employee training and education programs to make sure that this weakness is addressed effectively.